The smoking gun document is not regularly found…but when it is it can turn a case on its head!
When working on an investigation it is now, and has been for several years, common practice to examine any electronic information that is available within the sphere of the engagement. Advances in technology means that a majority of documentation is now electronic as well as paper based. It is generally easy to destroy paper-based documents but not so with electronic information, especially as people tend to forget what actually is stored on the computer systems.
We recently worked on an investigation following the sale of an IT company where there were allegations of supplier collusion to inflate revenue figures. We reviewed the data contained on the server and personal computers of the directors of the company. The directors at the company were the previous owners, and their employment was maintained to ensure the company continued to operate efficiently. After a couple of weeks of work the investigation team had gleamed enough knowledge together to understand how the fraud had worked and who was involved. What was lacking was documentary evidence that senior directors were aware and authorised this business. The smoking gun!
During the review of one of the director’s personal computers a ten-page memo was discovered which detailed the strategy for obtaining the maximum price from the sale of the company. This document contained the directors’ detailed plans, establishing that not only did they intend to use legitimate measures to enhance the sale price, but also some underhanded ones. The document not only proved knowledge of the fraud, but also the fact that the directors were the individuals who devised it. The director in question had obviously not been the most IT-literate person in the world and had left the memo residing in the recycle bin, which he had not emptied.
This information was subsequently put to the director in question during an interview, and when faced with the inevitable he started to be co-operative. Not only did he confess to all of the facts of the scheme we were investigating, including all of the other people involved, but he also confessed to other fraudulent transactions that had been entered into, thinking we already knew about them. What really astounded the suspect was that the “delete” button didn’t actually delete anything!
The eventual outcome of this case was that the new owners were able to recover in excess of one million pounds from the previous owners as a result of our work. In this case the smoking gun was an electronic copy of a memo, and it turned the case on its head, leading to us having a very happy client!
When an investigation involves digital evidence it is essential that the investigators ensure they comply with the ACPO guidelines on computer based evidence. This is the yardstick that every UK law enforcement officer must follow, and so we, as commercial investigators, should also comply with it. The primary principles of the guidelines are:
* No action taken should change data held on a computer or other media;
* In exceptional circumstances where it is necessary to access original data held on a target computer that person must be competent to do so and be able to explain the relevance and the implications of their actions; and
* An audit trail should be created and preserved so that they can be repeated.
To conform to these it is essential that a properly qualified and experienced person be used to carry out this work. The following actions must also be taken to aid the investigator, and to avoid damaging the integrity of any potential evidence.
* Do not turn on the PC – it must be started using forensic computing software that prevents writing data to the computer’s hard disk during the start-up process.
* Do not use the “shutdown” command. If the PC is already on, turn it off at the mains switch – during normal shutdown, numerous temporary files (e.g. print files) are removed that may otherwise have provided valuable information. There is also the risk that the suspect may have programmed the computer to overwrite data during shutdown.
* Do freeze the scene – ensure that the PC and all other digital media (e.g. floppy disks) are secured as possible evidence.
* Do attempt to identify the user.
* Do call a forensic computing expert.
Where should I look for digital evidence?
There are a multitude of devices available that could contain evidence relevant to a case, some of which are far from obvious. I was at a seminar recently where a law enforcement officer was talking about how he had to investigate the electronics of a cooker as part of a murder inquiry in an attempt to prove that it was used at a specific date and time. Unfortunately that information is not recorded…at the moment! When he spoke to the manufacturer however, he was told that it will not be too far in the future that this information will be recorded, along with how long the cooker was on, what temperature, etc. etc. When you consider that this is a cooker we are talking about, you soon begin to get a picture of the devices that could contain evidence.
Here is a short list of some of those devices.
The first and most obvious sources of evidence are the hard disks contained within the computer itself, or a server. These are invaluable to an investigator, as not only do they contain data files that the suspect has been working on but they also contain information about how the computer was used. For example, what Internet sites the person visited, what applications they had installed and what were the most recent files they accessed.
What is meant by this term are floppy disks, CDs, DVDs, zip disks and any other similar media that can be removed from the computer itself. This type of media is used for various tasks, as a back up, to transfer files between computers, or possibly, to store data that the user doesn’t want on their hard disk! During one case we worked on, we found that the computers themselves appeared to be perfectly clean, not a sign of an incriminating document. But, during a search of the office, we came across a shoebox full of floppy disks. When these were subsequently reviewed we found hundreds of false invoices that had been created for fraudulent purposes.
Personal digital assistants
Your Palm pilot, Psion organiser, Compaq Ipaq, or whatever you use as a personal digital assistant contains a huge amount of data that could be relevant to an investigator. They all generally contain an address book, a calendar, a to do list, a notepad and applications that allow you to write and store documents on them. This is all very useful information to an investigator, and as these devices become more popular and more powerful, they are only going to become more important during an investigation.
Non-volatile memory devices
These are the devices that we all use in our digital cameras, digital video cameras and MP3 players: Compact Flash cards, Smart Media cards, Memory sticks etc. However, these devices can be used for more than that. Their architecture is identical to that of a disk, therefore when a computer reads them they are viewed as a normal disk and hence can be written to and read from. How hard is it to do this? If you visit Tottenham Court Road in London you can pick up a device that can read and write to all of the above technologies (and many more) for under £30. Having this piece of equipment allows a user to save any type of data to the media, for example Word documents or Excel Spreadsheets. These devices are getting very very big, and hence capable of storing large amounts of data.
This can include mobile phones, faxes, desktop phones or the switchboard system at the company. All of which can provide very useful information. They all record details of who a person has called, sometimes when and for how long.
Mobile phones are becoming more and more advanced and contain ever-increasing amounts of data, for example an address book and a diary, as well as Internet connectivity and SMS messaging facilities. All of which could be important to a case. Using a direct connection to the phone and a specialised SIM card reader, the investigator can access this information, as well as, potentially, access information that the user thought they had erased.
Some new photocopiers are actually a scanner and a printer combined. They are scanning the documents to a hard disk within the photocopier and then printing it off. Although it is a tricky and potentially terminal process for the photocopier, the hard disk can be recovered and examined in an attempt to recover the documents that have been copied.